merge newui branch

apis/base.go

@@ -15,7 +15,7 @@ import (
 // StaticWildcardParam is the name of Static handler wildcard parameter.
 const StaticWildcardParam = "path"
 
-// NewRouter returns a new router instance loaded with the default app middlewares and api routes.
+// NewRouter returns a new router instance loaded with the default app middlewares and routes.
 func NewRouter(app core.App) (*router.Router[*core.RequestEvent], error) {
 	pbRouter := router.NewRouter(func(w http.ResponseWriter, r *http.Request) (*core.RequestEvent, router.EventCleanupFunc) {
 		event := new(core.RequestEvent)
@@ -34,6 +34,7 @@ func NewRouter(app core.App) (*router.Router[*core.RequestEvent], error) {
 	pbRouter.Bind(securityHeaders())
 	pbRouter.Bind(BodyLimit(DefaultMaxBodySize))
 
+	// API routes
 	apiGroup := pbRouter.Group("/api")
 	bindSettingsApi(app, apiGroup)
 	bindCollectionApi(app, apiGroup)
@@ -47,6 +48,9 @@ func NewRouter(app core.App) (*router.Router[*core.RequestEvent], error) {
 	bindRealtimeApi(app, apiGroup)
 	bindHealthApi(app, apiGroup)
 
+	// UI routes
+	bindUIExtensions(app)
+
 	return pbRouter, nil
 }
 

apis/collection.go

@@ -3,10 +3,12 @@ package apis
 import (
 	"errors"
 	"net/http"
+	"slices"
 	"strings"
 
 	validation "github.com/go-ozzo/ozzo-validation/v4"
 	"github.com/pocketbase/pocketbase/core"
+	"github.com/pocketbase/pocketbase/tools/auth"
 	"github.com/pocketbase/pocketbase/tools/router"
 	"github.com/pocketbase/pocketbase/tools/search"
 	"github.com/pocketbase/pocketbase/tools/security"
@@ -23,6 +25,10 @@ func bindCollectionApi(app core.App, rg *router.RouterGroup[*core.RequestEvent])
 	subGroup.DELETE("/{collection}/truncate", collectionTruncate)
 	subGroup.PUT("/import", collectionsImport)
 	subGroup.GET("/meta/scaffolds", collectionScaffolds)
+
+	// @todo experimental
+	subGroup.GET("/meta/oauth2-providers", collectionListOAuth2Providers)
+	subGroup.POST("/meta/dry-run-view", collectionDryRunView)
 }
 
 func collectionsList(e *core.RequestEvent) error {
@@ -207,3 +213,84 @@ func collectionScaffolds(e *core.RequestEvent) error {
 
 	return e.JSON(http.StatusOK, collections)
 }
+
+type providerListItem struct {
+	order int
+
+	Name        string `json:"name"`
+	DisplayName string `json:"displayName"`
+	Logo        string `json:"logo"`
+}
+
+func collectionListOAuth2Providers(e *core.RequestEvent) error {
+	providers := make([]*providerListItem, 0, len(auth.Providers))
+
+	for name, factory := range auth.Providers {
+		p := factory()
+
+		providers = append(providers, &providerListItem{
+			order:       p.Order(),
+			Name:        name,
+			DisplayName: p.DisplayName(),
+			Logo:        p.Logo(),
+		})
+	}
+
+	slices.SortStableFunc(providers, func(a, b *providerListItem) int {
+		// sort by order
+		if a.order < b.order {
+			return -1
+		}
+		if a.order > b.order {
+			return 1
+		}
+
+		// fallback sort by name
+		if a.Name < b.Name {
+			return -1
+		}
+		if a.Name > b.Name {
+			return 1
+		}
+
+		return 0
+	})
+
+	return e.JSON(http.StatusOK, providers)
+}
+
+func collectionDryRunView(e *core.RequestEvent) error {
+	// extra precaution in case reused in custom route group
+	if !e.HasSuperuserAuth() {
+		return e.ForbiddenError("", nil)
+	}
+
+	form := dryRunViewForm{}
+
+	err := e.BindBody(&form)
+	if err != nil {
+		return firstApiError(err, e.BadRequestError("An error occurred while loading the submitted data.", err))
+	}
+
+	err = form.validate()
+	if err != nil {
+		return firstApiError(err, e.BadRequestError("An error occurred while validating the submitted data.", err))
+	}
+
+	result, err := e.App.DryRunView(form.Query, 10)
+	if err != nil {
+		return firstApiError(err, e.BadRequestError("Invalid view query. Raw error: \n"+err.Error(), nil))
+	}
+
+	return e.JSON(http.StatusOK, result)
+}
+
+type dryRunViewForm struct {
+	Query string `form:"query" json:"query"`
+}
+
+func (form *dryRunViewForm) validate() error {
+	return validation.ValidateStruct(form,
+		validation.Field(&form.Query, validation.Required, validation.Length(0, 5000)),
+	)
+}

apis/collection_test.go

@@ -536,7 +536,7 @@ func TestCollectionCreate(t *testing.T) {
 				`"type":"base"`,
 				`"system":false`,
 				// ensures that id field was prepended
-				`"fields":[{"autogeneratePattern":"[a-z0-9]{15}","hidden":false,"id":"text3208210256","max":15,"min":15,"name":"id","pattern":"^[a-z0-9]+$","presentable":false,"primaryKey":true,"required":true,"system":true,"type":"text"},{"autogeneratePattern":"","hidden":false,"id":"12345789","max":0,"min":0,"name":"test","pattern":"","presentable":false,"primaryKey":false,"required":false,"system":false,"type":"text"}]`,
+				`"fields":[{"autogeneratePattern":"[a-z0-9]{15}","help":"","hidden":false,"id":"text3208210256","max":15,"min":15,"name":"id","pattern":"^[a-z0-9]+$","presentable":false,"primaryKey":true,"required":true,"system":true,"type":"text"},{"autogeneratePattern":"","help":"","hidden":false,"id":"12345789","max":0,"min":0,"name":"test","pattern":"","presentable":false,"primaryKey":false,"required":false,"system":false,"type":"text"}]`,
 			},
 			ExpectedEvents: map[string]int{
 				"*":                              0,
@@ -585,7 +585,7 @@ func TestCollectionCreate(t *testing.T) {
 				`"name":"verified"`,
 				`"duration":123`,
 				// should overwrite the user required option but keep the min value
-				`{"autogeneratePattern":"","hidden":true,"id":"text2504183744","max":0,"min":10,"name":"tokenKey","pattern":"","presentable":false,"primaryKey":false,"required":true,"system":true,"type":"text"}`,
+				`{"autogeneratePattern":"","help":"","hidden":true,"id":"text2504183744","max":0,"min":10,"name":"tokenKey","pattern":"","presentable":false,"primaryKey":false,"required":true,"system":true,"type":"text"}`,
 			},
 			NotExpectedContent: []string{
 				`"secret":"`,
@@ -751,7 +751,7 @@ func TestCollectionCreate(t *testing.T) {
 				"name":"new",
 				"type":"view",
 				"fields":[{"type":"text","id":"12345789","name":"ignored!@#$"}],
-				"viewQuery":"invalid"
+				"viewQuery":"select '123' as abc"
 			}`),
 			Headers: map[string]string{
 				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoicGJjXzMxNDI2MzU4MjMiLCJleHAiOjI1MjQ2MDQ0NjEsInJlZnJlc2hhYmxlIjp0cnVlfQ.UXgO3j-0BumcugrFjbd7j0M4MQvbrLggLlcu_YNGjoY",
@@ -780,7 +780,7 @@ func TestCollectionCreate(t *testing.T) {
 				"name":"new",
 				"type":"view",
 				"fields":[{"type":"text","id":"12345789","name":"ignored!@#$"}],
-				"viewQuery": "select 1 as id from ` + core.CollectionNameSuperusers + `"
+				"viewQuery": "select 1 as id from ` + core.CollectionNameSuperusers + ` limit 1"
 			}`),
 			Headers: map[string]string{
 				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoicGJjXzMxNDI2MzU4MjMiLCJleHAiOjI1MjQ2MDQ0NjEsInJlZnJlc2hhYmxlIjp0cnVlfQ.UXgO3j-0BumcugrFjbd7j0M4MQvbrLggLlcu_YNGjoY",
@@ -789,7 +789,7 @@ func TestCollectionCreate(t *testing.T) {
 			ExpectedContent: []string{
 				`"name":"new"`,
 				`"type":"view"`,
-				`"fields":[{"autogeneratePattern":"","hidden":false,"id":"text3208210256","max":0,"min":0,"name":"id","pattern":"^[a-z0-9]+$","presentable":false,"primaryKey":true,"required":true,"system":true,"type":"text"}]`,
+				`"fields":[{"autogeneratePattern":"","help":"","hidden":false,"id":"text3208210256","max":0,"min":0,"name":"id","pattern":"^[a-z0-9]+$","presentable":false,"primaryKey":true,"required":true,"system":true,"type":"text"}]`,
 			},
 			ExpectedEvents: map[string]int{
 				"*":                              0,
@@ -1262,7 +1262,7 @@ func TestCollectionUpdate(t *testing.T) {
 			Body: strings.NewReader(`{
 				"name":"view2_update",
 				"fields":[{"type":"text","id":"12345789","name":"ignored!@#$"}],
-				"viewQuery": "select 2 as id, created, updated, email from ` + core.CollectionNameSuperusers + `"
+				"viewQuery": "select 2 as id, created, updated, email from ` + core.CollectionNameSuperusers + ` limit 1"
 			}`),
 			Headers: map[string]string{
 				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoicGJjXzMxNDI2MzU4MjMiLCJleHAiOjI1MjQ2MDQ0NjEsInJlZnJlc2hhYmxlIjp0cnVlfQ.UXgO3j-0BumcugrFjbd7j0M4MQvbrLggLlcu_YNGjoY",
@@ -1584,3 +1584,187 @@ func TestCollectionTruncate(t *testing.T) {
 		scenario.Test(t)
 	}
 }
+
+func TestCollectionOAuth2Providers(t *testing.T) {
+	t.Parallel()
+
+	scenarios := []tests.ApiScenario{
+		{
+			Name:            "unauthorized",
+			Method:          http.MethodGet,
+			URL:             "/api/collections/meta/oauth2-providers",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:   "authorized as regular user",
+			Method: http.MethodGet,
+			URL:    "/api/collections/meta/oauth2-providers",
+			Headers: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6IjRxMXhsY2xtZmxva3UzMyIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoiX3BiX3VzZXJzX2F1dGhfIiwiZXhwIjoyNTI0NjA0NDYxLCJyZWZyZXNoYWJsZSI6dHJ1ZX0.ZT3F0Z3iM-xbGgSG3LEKiEzHrPHr8t8IuHLZGGNuxLo",
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:   "authorized as superuser",
+			Method: http.MethodGet,
+			URL:    "/api/collections/meta/oauth2-providers",
+			Headers: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoicGJjXzMxNDI2MzU4MjMiLCJleHAiOjI1MjQ2MDQ0NjEsInJlZnJlc2hhYmxlIjp0cnVlfQ.UXgO3j-0BumcugrFjbd7j0M4MQvbrLggLlcu_YNGjoY",
+			},
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`{"name":"oidc3","displayName":"OIDC","logo":"\u003csvg`,
+			},
+			NotExpectedContent: []string{
+				`"order":`,
+				`"pkce":`,
+				`"scopes":`,
+				`"authURL":`,
+				`"tokenURL":`,
+				`"userInfoURL":`,
+			},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}
+
+func TestCollectionTestView(t *testing.T) {
+	t.Parallel()
+
+	scenarios := []tests.ApiScenario{
+		{
+			Name:            "unauthorized",
+			Method:          http.MethodPost,
+			URL:             "/api/collections/meta/dry-run-view",
+			Body:            strings.NewReader(`{"query":"select 1 as id"}`),
+			ExpectedStatus:  401,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:   "authorized as regular user",
+			Method: http.MethodPost,
+			URL:    "/api/collections/meta/dry-run-view",
+			Body:   strings.NewReader(`{"query":"select 1 as id"}`),
+			Headers: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6IjRxMXhsY2xtZmxva3UzMyIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoiX3BiX3VzZXJzX2F1dGhfIiwiZXhwIjoyNTI0NjA0NDYxLCJyZWZyZXNoYWJsZSI6dHJ1ZX0.ZT3F0Z3iM-xbGgSG3LEKiEzHrPHr8t8IuHLZGGNuxLo",
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:   "authorized as superuser",
+			Method: http.MethodPost,
+			URL:    "/api/collections/meta/dry-run-view",
+			Body:   strings.NewReader(`{"query":"select 1 as id"}`),
+			Headers: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoicGJjXzMxNDI2MzU4MjMiLCJleHAiOjI1MjQ2MDQ0NjEsInJlZnJlc2hhYmxlIjp0cnVlfQ.UXgO3j-0BumcugrFjbd7j0M4MQvbrLggLlcu_YNGjoY",
+			},
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"fields":[{`,
+				`"name":"id"`,
+				`"type":"text"`,
+				`"sample":[{`,
+				`"id":"1"`,
+			},
+		},
+		{
+			Name:   "empty query",
+			Method: http.MethodPost,
+			URL:    "/api/collections/meta/dry-run-view",
+			Body:   strings.NewReader(`{"query":""}`),
+			Headers: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoicGJjXzMxNDI2MzU4MjMiLCJleHAiOjI1MjQ2MDQ0NjEsInJlZnJlc2hhYmxlIjp0cnVlfQ.UXgO3j-0BumcugrFjbd7j0M4MQvbrLggLlcu_YNGjoY",
+			},
+			ExpectedStatus: 400,
+			ExpectedContent: []string{
+				`"data":{"query":`,
+			},
+		},
+		{
+			Name:   "query length beyond validator limit",
+			Method: http.MethodPost,
+			URL:    "/api/collections/meta/dry-run-view",
+			Body:   strings.NewReader(`{"query":"` + strings.Repeat("a", 5001) + `"}`),
+			Headers: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoicGJjXzMxNDI2MzU4MjMiLCJleHAiOjI1MjQ2MDQ0NjEsInJlZnJlc2hhYmxlIjp0cnVlfQ.UXgO3j-0BumcugrFjbd7j0M4MQvbrLggLlcu_YNGjoY",
+			},
+			ExpectedStatus: 400,
+			ExpectedContent: []string{
+				`"data":{"query":`,
+			},
+		},
+		{
+			Name:   "query with length equal to the validator limit",
+			Method: http.MethodPost,
+			URL:    "/api/collections/meta/dry-run-view",
+			Body:   strings.NewReader(`{"query":"select 1 as id` + strings.Repeat(" ", 4986) + `"}`),
+			Headers: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoicGJjXzMxNDI2MzU4MjMiLCJleHAiOjI1MjQ2MDQ0NjEsInJlZnJlc2hhYmxlIjp0cnVlfQ.UXgO3j-0BumcugrFjbd7j0M4MQvbrLggLlcu_YNGjoY",
+			},
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"fields":[{`,
+				`"name":"id"`,
+				`"type":"text"`,
+				`"sample":[`,
+				`"id":"1"`,
+			},
+		},
+		{
+			Name:   "missing ids sample",
+			Method: http.MethodPost,
+			URL:    "/api/collections/meta/dry-run-view",
+			Body:   strings.NewReader(`{"query":"(select 1 as id union select '' as id)"}`),
+			Headers: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoicGJjXzMxNDI2MzU4MjMiLCJleHAiOjI1MjQ2MDQ0NjEsInJlZnJlc2hhYmxlIjp0cnVlfQ.UXgO3j-0BumcugrFjbd7j0M4MQvbrLggLlcu_YNGjoY",
+			},
+			ExpectedStatus: 400,
+			ExpectedContent: []string{
+				`"data":{}`,
+				`Raw error:`,
+			},
+		},
+		{
+			Name:   "duplicated ids sample",
+			Method: http.MethodPost,
+			URL:    "/api/collections/meta/dry-run-view",
+			Body:   strings.NewReader(`{"query":"(select 1 as id union all select 1 as id)"}`),
+			Headers: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoicGJjXzMxNDI2MzU4MjMiLCJleHAiOjI1MjQ2MDQ0NjEsInJlZnJlc2hhYmxlIjp0cnVlfQ.UXgO3j-0BumcugrFjbd7j0M4MQvbrLggLlcu_YNGjoY",
+			},
+			ExpectedStatus: 400,
+			ExpectedContent: []string{
+				`"data":{}`,
+				`Raw error:`,
+			},
+		},
+		{
+			Name:   "write query",
+			Method: http.MethodPost,
+			URL:    "/api/collections/meta/dry-run-view",
+			Body:   strings.NewReader(`{"query":"CREATE TABLE t1(x INT)"}`),
+			Headers: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6InN5d2JoZWNuaDQ2cmhtMCIsInR5cGUiOiJhdXRoIiwiY29sbGVjdGlvbklkIjoicGJjXzMxNDI2MzU4MjMiLCJleHAiOjI1MjQ2MDQ0NjEsInJlZnJlc2hhYmxlIjp0cnVlfQ.UXgO3j-0BumcugrFjbd7j0M4MQvbrLggLlcu_YNGjoY",
+			},
+			ExpectedStatus: 400,
+			ExpectedContent: []string{
+				`"data":{}`,
+				`Raw error:`,
+			},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}

apis/extensions.go

@@ -0,0 +1,94 @@
+package apis
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+
+	"github.com/pocketbase/pocketbase/core"
+	"github.com/pocketbase/pocketbase/tools/hook"
+	"github.com/pocketbase/pocketbase/ui"
+)
+
+// bindUIExtensions binds the superuser UI extensions routes to the ServeEvent.Router.
+//
+// This method does nothing if the superuser UI is not bundled (aka. build with "no_ui" tag),
+func bindUIExtensions(app core.App) {
+	if ui.DistDirFS == nil {
+		return
+	}
+
+	app.OnServe().Bind(&hook.Handler[*core.ServeEvent]{
+		Priority: 9999, // execute as latest as possible
+		Func: func(se *core.ServeEvent) error {
+			uiGroup := se.Router.Group("/_").
+				BindFunc(func(e *core.RequestEvent) error {
+					if !e.App.IsDev() && e.Response.Header().Get("Cache-Control") == "" {
+						e.Response.Header().Set("Cache-Control", "max-age=1209600, stale-while-revalidate=86400")
+					}
+
+					if e.Response.Header().Get("Content-Security-Policy") == "" {
+						e.Response.Header().Set("Content-Security-Policy", defaultCSP)
+					}
+
+					return e.Next()
+				}).
+				Bind(Gzip())
+
+			// register static extension routes
+			for _, ext := range se.UIExtensions {
+				if ext.Name == "" || ext.FS == nil {
+					se.App.Logger().Debug("Invalid UI extension configuration", slog.Any("extension", ext))
+					continue
+				}
+
+				uiGroup.GET("/extensions/"+ext.Name+"/{path...}", Static(ext.FS, false))
+			}
+
+			// combine all extensions main.js in one file
+			//
+			// note: don't cache in memory to allow previewing changes without restart
+			uiGroup.GET("/extensions.js", func(re *core.RequestEvent) error {
+				buf := new(bytes.Buffer)
+
+				for _, ext := range se.UIExtensions {
+					err := copyExtensionMainjs(buf, ext)
+					if err != nil {
+						return re.InternalServerError("An error occurred while generating the main.js extension file", err)
+					}
+				}
+
+				return re.Stream(200, "text/javascript", buf)
+			}).Bind(SkipSuccessActivityLog())
+
+			return se.Next()
+		},
+	})
+}
+
+func copyExtensionMainjs(buf *bytes.Buffer, ext core.UIExtension) error {
+	f, err := ext.FS.Open("main.js")
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return nil // nothing to copy
+		}
+
+		return fmt.Errorf("[UI extension %q] main.js open error: %w", ext.Name, err)
+	}
+	defer f.Close()
+
+	// wrap in a self-executing function to avoid scope and concatenation issues
+	_, _ = buf.WriteString("(function(){")
+
+	_, err = io.Copy(buf, f)
+	if err != nil {
+		return fmt.Errorf("[UI extension %q] main.js copy error: %w", ext.Name, err)
+	}
+
+	_, _ = buf.WriteString("})();")
+
+	return nil
+}

apis/extensions_test.go

@@ -0,0 +1,177 @@
+package apis_test
+
+import (
+	"net/http"
+	"testing"
+	"testing/fstest"
+
+	"github.com/pocketbase/pocketbase/core"
+	"github.com/pocketbase/pocketbase/tests"
+	"github.com/pocketbase/pocketbase/ui"
+)
+
+// note: don't run in parallel to avoid conflicts with the ui.DistDirFS nil test
+func TestUIExtensions_Mainjs(t *testing.T) {
+	successAfterTestFunc := func(t testing.TB, app *tests.TestApp, res *http.Response) {
+		expected := "text/javascript"
+		if ct := res.Header.Get("content-type"); ct != expected {
+			t.Fatalf("Expected response Content-Type %q, got %q", expected, ct)
+		}
+	}
+
+	oldDistDirFS := ui.DistDirFS
+
+	scenarios := []tests.ApiScenario{
+		{
+			Name:   "disabled UI",
+			Method: http.MethodGet,
+			URL:    "/_/extensions.js",
+			TestAppFactory: func(t testing.TB) *tests.TestApp {
+				app, err := tests.NewTestApp()
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				// simulate no_ui tag (needs to be cleared before the router is initialized)
+				ui.DistDirFS = nil
+
+				return app
+			},
+			AfterTestFunc: func(t testing.TB, app *tests.TestApp, res *http.Response) {
+				ui.DistDirFS = oldDistDirFS
+			},
+			ExpectedStatus:  404,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:            "no extensions",
+			Method:          http.MethodGet,
+			URL:             "/_/extensions.js",
+			AfterTestFunc:   successAfterTestFunc,
+			ExpectedStatus:  200,
+			ExpectedContent: []string{},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:   "with extensions",
+			Method: http.MethodGet,
+			URL:    "/_/extensions.js",
+			TestAppFactory: func(t testing.TB) *tests.TestApp {
+				app, err := tests.NewTestApp()
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				app.OnServe().BindFunc(func(e *core.ServeEvent) error {
+					e.UIExtensions = createTestExtensions()
+					return e.Next()
+				})
+
+				return app
+			},
+			AfterTestFunc:   successAfterTestFunc,
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"(function(){ext1_main})();(function(){ext3_main})();"},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}
+
+// note: don't run in parallel to avoid conflicts with the ui.DistDirFS nil test
+func TestUIExtensions_Files(t *testing.T) {
+	testAppFactory := func(t testing.TB) *tests.TestApp {
+		app, err := tests.NewTestApp()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		app.OnServe().BindFunc(func(e *core.ServeEvent) error {
+			e.UIExtensions = createTestExtensions()
+			return e.Next()
+		})
+
+		return app
+	}
+
+	scenarios := []tests.ApiScenario{
+		{
+			Name:            "no extensions",
+			Method:          http.MethodGet,
+			URL:             "/_/extensions/ext1/test.txt",
+			ExpectedStatus:  404,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:            "with missing extension file",
+			Method:          http.MethodGet,
+			URL:             "/_/extensions/ext1/missing",
+			TestAppFactory:  testAppFactory,
+			ExpectedStatus:  404,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:            "with existing extension file (ext1)",
+			Method:          http.MethodGet,
+			URL:             "/_/extensions/ext1/test.txt",
+			TestAppFactory:  testAppFactory,
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"ext1_txt"},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+		{
+			Name:            "with existing extension file (extension name escape)",
+			Method:          http.MethodGet,
+			URL:             "/_/extensions/ext3%20with%20spaces/test.txt",
+			TestAppFactory:  testAppFactory,
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"ext3_txt"},
+			ExpectedEvents:  map[string]int{"*": 0},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}
+
+func createTestExtensions() []core.UIExtension {
+	return []core.UIExtension{
+		{
+			Name: "ext1",
+			FS: fstest.MapFS{
+				"main.js": &fstest.MapFile{
+					Data: []byte("ext1_main"),
+				},
+				"test.txt": &fstest.MapFile{
+					Data: []byte("ext1_txt"),
+				},
+			},
+		},
+		{
+			Name: "ext2",
+			FS: fstest.MapFS{
+				"test.txt": &fstest.MapFile{
+					Data: []byte("ext2_txt"),
+				},
+			},
+		},
+		{
+			Name: "ext3 with spaces",
+			FS: fstest.MapFS{
+				"main.js": &fstest.MapFile{
+					Data: []byte("ext3_main"),
+				},
+				"test.txt": &fstest.MapFile{
+					Data: []byte("ext3_txt"),
+				},
+			},
+		},
+	}
+}

apis/health.go

@@ -25,6 +25,7 @@ func healthCheck(e *core.RequestEvent) error {
 		Message: "API is healthy.",
 	}
 
+	// @todo evaluate whether it is worth removing the extra info from the health endpoint
 	if e.HasSuperuserAuth() {
 		resp.Data = make(map[string]any, 3)
 		resp.Data["canBackup"] = !e.App.Store().Has(core.StoreKeyActiveBackup)

apis/installer.go

@@ -12,6 +12,7 @@ import (
 	"github.com/pocketbase/dbx"
 	"github.com/pocketbase/pocketbase/core"
 	"github.com/pocketbase/pocketbase/tools/osutils"
+	"github.com/pocketbase/pocketbase/ui"
 )
 
 // DefaultInstallerFunc is the default PocketBase installer function.
@@ -22,13 +23,18 @@ import (
 //
 // See https://github.com/pocketbase/pocketbase/discussions/5814.
 func DefaultInstallerFunc(app core.App, systemSuperuser *core.Record, baseURL string) error {
+	if ui.DistDirFS == nil {
+		color.Magenta("You can create your first superuser by running: %s superuser upsert EMAIL PASS", executablePath())
+		return nil
+	}
+
 	token, err := systemSuperuser.NewStaticAuthToken(30 * time.Minute)
 	if err != nil {
 		return err
 	}
 
 	// launch url (ignore errors and always print a help text as fallback)
-	url := fmt.Sprintf("%s/_/#/pbinstal/%s", strings.TrimRight(baseURL, "/"), token)
+	url := fmt.Sprintf("%s/_/#/pbinstall/%s", strings.TrimRight(baseURL, "/"), token)
 	_ = osutils.LaunchURL(url)
 	color.Magenta("\n(!) Launch the URL below in the browser if it hasn't been open already to create your first superuser account:")
 	color.New(color.Bold).Add(color.FgCyan).Println(url)

apis/middlewares_body_limit.go

@@ -11,7 +11,7 @@ import (
 
 var ErrRequestEntityTooLarge = router.NewApiError(http.StatusRequestEntityTooLarge, "Request entity too large", nil)
 
-const DefaultMaxBodySize int64 = 32 << 20
+const DefaultMaxBodySize int64 = 32 << 20 // @todo consider replacing with router.DefaultMaxMemory
 
 const (
 	DefaultBodyLimitMiddlewareId       = "pbBodyLimit"

apis/record_auth_methods.go

@@ -34,6 +34,7 @@ type oauth2Response struct {
 type providerInfo struct {
 	Name        string `json:"name"`
 	DisplayName string `json:"displayName"`
+	Logo        string `json:"logo"`
 	State       string `json:"state"`
 	AuthURL     string `json:"authURL"`
 
@@ -68,7 +69,14 @@ func (amr *authMethodsResponse) fillLegacyFields() {
 	amr.UsernamePassword = amr.Password.Enabled && slices.Contains(amr.Password.IdentityFields, "username")
 
 	if amr.OAuth2.Enabled {
-		amr.AuthProviders = amr.OAuth2.Providers
+		// clone without the logo
+		legacyProviders := make([]providerInfo, len(amr.OAuth2.Providers))
+		for i, p := range amr.OAuth2.Providers {
+			legacyProviders[i] = p
+			legacyProviders[i].Logo = ""
+		}
+
+		amr.AuthProviders = legacyProviders
 	}
 }
 
@@ -128,6 +136,7 @@ func recordAuthMethods(e *core.RequestEvent) error {
 		info := providerInfo{
 			Name:        config.Name,
 			DisplayName: provider.DisplayName(),
+			Logo:        provider.Logo(),
 			State:       security.RandomString(30),
 		}
 

apis/record_auth_methods_test.go

@@ -54,6 +54,8 @@ func TestRecordAuthMethodsList(t *testing.T) {
 				`"providers":[{`,
 				`"name":"google"`,
 				`"name":"gitlab"`,
+				`"logo":"\u003csvg`,
+				`"logo":""`, // for the legacy fields
 				`"state":`,
 				`"displayName":`,
 				`"codeVerifier":`,

apis/record_auth_with_oauth2_redirect.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/pocketbase/pocketbase/core"
 	"github.com/pocketbase/pocketbase/tools/subscriptions"
+	"github.com/pocketbase/pocketbase/ui"
 )
 
 const (
@@ -28,17 +29,12 @@ type oauth2RedirectData struct {
 }
 
 func oauth2SubscriptionRedirect(e *core.RequestEvent) error {
-	redirectStatusCode := http.StatusTemporaryRedirect
-	if e.Request.Method != http.MethodGet {
-		redirectStatusCode = http.StatusSeeOther
-	}
-
 	data := oauth2RedirectData{}
 
 	if e.Request.Method == http.MethodPost {
 		if err := e.BindBody(&data); err != nil {
 			e.App.Logger().Debug("Failed to read OAuth2 redirect data", "error", err)
-			return e.Redirect(redirectStatusCode, oauth2RedirectFailurePath)
+			return failureRedirect(e)
 		}
 	} else {
 		query := e.Request.URL.Query()
@@ -49,13 +45,13 @@ func oauth2SubscriptionRedirect(e *core.RequestEvent) error {
 
 	if data.State == "" {
 		e.App.Logger().Debug("Missing OAuth2 state parameter")
-		return e.Redirect(redirectStatusCode, oauth2RedirectFailurePath)
+		return failureRedirect(e)
 	}
 
 	client, err := e.App.SubscriptionsBroker().ClientById(data.State)
 	if err != nil || client.IsDiscarded() || !client.HasSubscription(oauth2SubscriptionTopic) {
 		e.App.Logger().Debug("Missing or invalid OAuth2 subscription client", "error", err, "clientId", data.State)
-		return e.Redirect(redirectStatusCode, oauth2RedirectFailurePath)
+		return failureRedirect(e)
 	}
 	defer client.Unsubscribe(oauth2SubscriptionTopic)
 
@@ -76,7 +72,7 @@ func oauth2SubscriptionRedirect(e *core.RequestEvent) error {
 	encodedData, err := json.Marshal(data)
 	if err != nil {
 		e.App.Logger().Debug("Failed to marshalize OAuth2 redirect data", "error", err)
-		return e.Redirect(redirectStatusCode, oauth2RedirectFailurePath)
+		return failureRedirect(e)
 	}
 
 	msg := subscriptions.Message{
@@ -88,10 +84,36 @@ func oauth2SubscriptionRedirect(e *core.RequestEvent) error {
 
 	if data.Error != "" || data.Code == "" {
 		e.App.Logger().Debug("Failed OAuth2 redirect due to an error or missing code parameter", "error", data.Error, "clientId", data.State)
-		return e.Redirect(redirectStatusCode, oauth2RedirectFailurePath)
+		return failureRedirect(e)
 	}
 
-	return e.Redirect(redirectStatusCode, oauth2RedirectSuccessPath)
+	return successRedirect(e)
+}
+
+func redirectStatusCode(e *core.RequestEvent) int {
+	if e.Request.Method != http.MethodGet {
+		return http.StatusSeeOther
+	}
+
+	return http.StatusTemporaryRedirect
+}
+
+func failureRedirect(e *core.RequestEvent) error {
+	// fallback if UI is not bundled
+	if ui.DistDirFS == nil {
+		return e.String(http.StatusOK, "Failed to authenticate. You can close this window and go back to the app to try again.")
+	}
+
+	return e.Redirect(redirectStatusCode(e), oauth2RedirectFailurePath)
+}
+
+func successRedirect(e *core.RequestEvent) error {
+	// fallback if UI is not bundled
+	if ui.DistDirFS == nil {
+		return e.HTML(http.StatusOK, "Auth completed. You can close this window and go back to the app.")
+	}
+
+	return e.Redirect(redirectStatusCode(e), oauth2RedirectSuccessPath)
 }
 
 // parseAndStoreAppleRedirectName extracts the first and last name

apis/serve.go

@@ -22,6 +22,8 @@ import (
 	"golang.org/x/crypto/acme/autocert"
 )
 
+const defaultCSP = "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' http://127.0.0.1:* https://tile.openstreetmap.org data: blob:; connect-src 'self' http://127.0.0.1:* https://nominatim.openstreetmap.org; script-src 'self' http://127.0.0.1:*; frame-src 'none'"
+
 // ServeConfig defines a configuration struct for apis.Serve().
 type ServeConfig struct {
 	// ShowStartBanner indicates whether to show or hide the server start console message.
@@ -77,21 +79,25 @@ func Serve(app core.App, config ServeConfig) error {
 		AllowMethods: []string{http.MethodGet, http.MethodHead, http.MethodPut, http.MethodPatch, http.MethodPost, http.MethodDelete},
 	}))
 
-	pbRouter.GET("/_/{path...}", Static(ui.DistDirFS, false)).
-		BindFunc(func(e *core.RequestEvent) error {
-			// ignore root path
-			if e.Request.PathValue(StaticWildcardParam) != "" {
-				e.Response.Header().Set("Cache-Control", "max-age=1209600, stale-while-revalidate=86400")
-			}
+	// @todo consider moving in base
+	if ui.DistDirFS != nil {
+		pbRouter.GET("/_/{path...}", Static(ui.DistDirFS, false)).
+			BindFunc(func(e *core.RequestEvent) error {
+				if !e.App.IsDev() &&
+					// exclude root path
+					e.Request.PathValue(StaticWildcardParam) != "" &&
+					e.Response.Header().Get("Cache-Control") == "" {
+					e.Response.Header().Set("Cache-Control", "max-age=1209600, stale-while-revalidate=86400")
+				}
 
-			// add a default CSP
-			if e.Response.Header().Get("Content-Security-Policy") == "" {
-				e.Response.Header().Set("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' http://127.0.0.1:* https://tile.openstreetmap.org data: blob:; connect-src 'self' http://127.0.0.1:* https://nominatim.openstreetmap.org; script-src 'self' 'sha256-GRUzBA7PzKYug7pqxv5rJaec5bwDCw1Vo6/IXwvD3Tc='")
-			}
+				if e.Response.Header().Get("Content-Security-Policy") == "" {
+					e.Response.Header().Set("Content-Security-Policy", defaultCSP)
+				}
 
-			return e.Next()
-		}).
-		Bind(Gzip())
+				return e.Next()
+			}).
+			Bind(Gzip())
+	}
 
 	// start http server
 	// ---
@@ -279,8 +285,12 @@ func Serve(app core.App, config ServeConfig) error {
 		)
 
 		regular := color.New()
-		regular.Printf("├─ REST API:  %s\n", color.CyanString("%s/api/", baseURL))
-		regular.Printf("└─ Dashboard: %s\n", color.CyanString("%s/_/", baseURL))
+		if ui.DistDirFS == nil {
+			regular.Printf("└─ REST API:  %s\n", color.CyanString("%s/api/", baseURL))
+		} else {
+			regular.Printf("├─ REST API:  %s\n", color.CyanString("%s/api/", baseURL))
+			regular.Printf("└─ Dashboard: %s\n", color.CyanString("%s/_/", baseURL))
+		}
 	}
 
 	var serveErr error

apis/settings.go

@@ -16,6 +16,8 @@ func bindSettingsApi(app core.App, rg *router.RouterGroup[*core.RequestEvent]) {
 	subGroup.PATCH("", settingsSet)
 	subGroup.POST("/test/s3", settingsTestS3)
 	subGroup.POST("/test/email", settingsTestEmail)
+
+	// @todo move to collections
 	subGroup.POST("/apple/generate-client-secret", settingsGenerateAppleClientSecret)
 }
 
@@ -62,12 +64,12 @@ func settingsSet(e *core.RequestEvent) error {
 			return e.BadRequestError("An error occurred while saving the new settings.", err)
 		}
 
-		appSettings, err := e.App.Settings().Clone()
-		if err != nil {
-			return e.InternalServerError("Failed to clone app settings.", err)
-		}
-
 		return execAfterSuccessTx(true, e.App, func() error {
+			appSettings, err := e.App.Settings().Clone()
+			if err != nil {
+				return e.InternalServerError("Failed to clone app settings.", err)
+			}
+
 			return e.JSON(http.StatusOK, appSettings)
 		})
 	})